Core issue
The VPN client fails to connect to the headend if it passes through a NATting or a PATting device. This issue occurs if inspection for IPsec traffic is not enabled on the passthrough device. When this issue occurs, the regular translation creation failed for protocol 50 error message appears.
Resolution
In order to resolve this issue, enable IPsec Pass Through inspection on the PIX firewall with the inspect ipsec-pass-thru command.
The inspect ipsec-pass-thru command enables or disables the application inspection. The IPsec Pass Through application inspection provides convenient traversal of the Encapsulating Security Payload (ESP), IP protocol 50, and/or the Authentication Header (AH), IP protocol 51, traffic that is associated with an Internet Key Exchange (IKE) User Datagram Protocol (UDP) port 500 connection. It avoids a lengthy access list configuration in order to permit the ESP and the AH traffic and also provides security with timeout and max connections.
Apply these commands on PIX in order to enable the IPsec Pass Through Inspection:
hostname (config)#access-list test-udp-acl extended permit udp any any eq 500
hostname (config)#class-map test-udp-class
hostname (config-cmap)#match access-list test-udp-acl
hostname (config-pmap)#class test-udp-class
Note: In PIX version 7.0, the inspect ipsec-pass-thru command allowed only ESP traffic to pass through and the default idle timeout for ESP data flows is by default set to 10 minutes. In later versions this command uses parameter map in order to identify a specific map to use for the definition of the parameters for the inspection.
